Follows up on #978, which had the following problems:
- too many requirements files (cc @trishankatdatadog ;)
- used extra tooling around pip-compile that
- didn't take into account requirement markers (see comments
in requirements.txt in this commit), and
- confused Dependabot, which expects the hashed requirements
file in a certain format, as pip-compile would generate it
without custom tooling (see #979).
This commit restructures the requirements files as follows:
- Merges requirements-tox.txt and requirements-test.txt. The
separation was semantically correct but operationally irrelevant.
- Removes the hashed requirements file, which doesn't add much
security, especially with PEP 458 on the way (see python/peps#1306),
but extra maintenance (see notes about requirements.txt in #978
and about Dependabot above)
- Manually adds environment markers to requirements-pinned.txt (see
comments in requirements.txt in this commit).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
* Use suffixed instead of prefixed sub-requirements files to group
them alphabetically in the file tree.
* Layer requirements files akin to the in-toto project
(see in-toto/in-toto#294). The hierarchy is:
- *requirements.in*
tuf runtime requirements, including optional requirements
(pynacl and cyrptography)
- *requirements-pinned.txt*
pinned tuf runtime requirements, including optional
and transitive (1 level deep) requirements and their hashes.
The file is generated semi-automatically using pip-compile
and a bash script (see document header), based off of
requirements.in, combining requirements from all supported
Python versions.
This file should be auto-updated, by e.g. dependabot, and be used
for ci/cd tests, to catch issues with new dependencies.
- *requirements-test.txt*
additional test runtime requirements
- *requirements-tox.txt*
combines requirements.txt, requirements-test.txt and additional
test tools (for linting and coverage), i.e. everything that is
needed in each tox environment to run the tests.
- *requirements-dev.txt*
lists tox for local development and testing, and also
requirements-tox.txt and tuf in editable mode to run
the test suite or individual tests directly.
- *requirements.txt*
requirements-pinned.txt with the hashes of the dependencies
as reported by pip at the time of creating the file.
NOTE: this is not used for testing or dev-install because pip
doesn't allow mixed (with and without hashes) installations.
This file should also be auto-updated, by e.g. dependabot.
* Removes an obsolete version constraint on coverage
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
